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DETAILED ACTION 



This final action is in response to the amendment filed on 12/08/2008. Claims 1-24 are 
pending and have been considered as follows. 

Examiner Note 

In light of the applicant's remarks, the examiner hereby withdraws his previous Claim 
Objections with respect to Claims 1,7, 13, & 19 (the Claim Objection with respect to Claim 19 
"being operable to" has been maintained) and withdraws his previous 35 U.S.C. 101 rejection 
with respect to Claim 7. Upon reconsideration, it was brought to the attention of the examiner 
that FIG 1 and pages 1 & 5-7, of the applicant's Specification, provides reasonable structural 
support for the "means for"; 

The Applicant appears to be attempting to invoke 35 U.S.C. 1 12 6 th paragraph in Claim 7 

by using "means-plus-function" language. The Examiner notes that the claims appear to pass all 

of the three-prong test used to determine invocation of paragraph 6. Therefore, 35 U.S.C. 1 12 6 th 

paragraph has been invoked when considering these claims below. 

A claim limitation will be presumed to invoke 35 U.S.C. 112, sixth 
paragraph, if it meets the following 3-prong analysis: 

(A) the claim limitations must use the phrase "means for " or "step for; 

(B) the "means for " or "step for " must be modified by functional 
language; and 

(C) the phrase "means for " or "step for " must not be modified by 
sufficient structure, material, or acts for achieving the specified function. 
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The examiner notes that the previous rejection under 35 U.S.C. 103(a) contained 
typographical errors. The prior art of record referred to as Nakae et al. US-20040172558-A1, 
was mistyped and should have been US-20040 172557- A 1 ('7' instead of '8' at the end), 
therefore it is herein corrected for clarity of record with the attached Notice of References. 



Claim Objections 

1 . Claim 19 is objected to because of the following informalities: 

- Claim 19 line 2 recites "being operable to" which should be replaced with language 

which does not raise the question as to the limiting effect of the language as similar to the 
below; 

Claim scope is not limited by claim language that suggests or makes optional but 
does not require steps to be performed, or by claim language that does not limit a claim 
to a particular structure. However, examples of claim language, although not exhaustive, 
that may raise a question as to the limiting effect of the language in a claim are: 

(A) " adapted to " or "adapted for " clauses; 

(B) " wherein " clauses; and 

(C) " whereby " clauses. 

The determination of whether each of these clauses is a limitation in a claim depends 
on the specific facts of the case. In Hoffer v. Microsoft Corp., 405 F.3d 1326, 1329, 74 
USPQ2d 1481, 1483 (Fed. Cir. 2005), the court held that when a "whereby ' clause states 
a condition that is material to patentability, it cannot be ignored in order to change the 
substance of the invention. " Id. However, the court noted (quoting Minton v. Nat 'I Ass 'n 
of Securities Dealers, Inc., 336 F. 3d 1373, 1381, 67 USPQ2d 1614, 1620 (Fed. Cir. 
2003)) that a "whereby clause in a method claim is not given weight when it simply 
expresses the intended result of a process step positively recited. "' Id. 
Appropriate correction is required. 
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Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-5, 7-11, 13-17, 19-23 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Vaidva (US-62791 13-B1) in view of Nakae et al. (US-20040172557-A1). 

Claim 1,7, 13, & 19: 

Vaidya discloses a method/a computer recording medium including computer executable code 
for maintaining security of a computer system and a system for maintaining computer security 
comprising, 

"providing access to a database of signatures" (i.e. "the data repository 12 includes a 
database handler 26 which polls the data collectors 10 for intrusion detection data and 
stores the data for future reference") [column 5 lines 47-50]; 

"each signature including a signature certainty value" (i.e. "The attack signature profile 
type can be either simple, sequential or a timer/counter based") [column 7 lines 2-4]; 

- "receiving data" (i.e. "The remote network 24 is connected to the LAN 1 1 and is 
equipped with a data collector 10 which monitors work stations located on the remote 

- network 24 and transmits network security data specific to the remote network back to 
the data repository 12. Both the remote network 24 and the LAN 1 1 are connected to the 
global communications network referred to as the Internet") [column 5 lines 39-46]; 
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"comparing the received data with the database of signatures" (i.e. "The attack signature 
profiles are adapted for detecting network data patterns associated with network 
intrusions which include unauthorized attempts to access network objects, unauthorized 
manipulation of network data, including data transport, alteration or deletion, and 
attempted delivery of malicious data packets capable of causing a malfunction in a 
network object") [column 5 lines 33-39]; 

"filtering the data based on the system certainty value and the signature certainty value of 
a signature matching the received data" (i.e. "If in step 64 the data collector 10 
determines that the data packet is not associated with a network intrusion, the data 
collector continues to monitor data in step 58. If a network intrusion is detected, the 
reaction module is notified in step 66. The reaction module 38 takes steps to trace the 
application session associated with the data packet, to terminate the session, and/or to 
notify the network administrator") [column 7 lines 4-11]; 
but, Vaidya does not explicitly disclose, 

- "determining an initial system certainty value for the computer system," although Nakae 
et al. do suggest obtaining a confidence level, as recited below; 

"increasing the system certainty value if the received data does not match a signature in 
the database," although Nakae et al. do suggest increasing a confidence level, as recited 
below; 

"decreasing the system certainty value if the received data matches a signature in the 
database," although Nakae et al. do suggest decreasing a confidence level, as recited 
below; 
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however, Nakae et al. do disclose, 

- "obtains a confidence level" [page 10 para 174 line 3]; 

"the relevant confidence level is increased" [page 10 para 176 lines 3-4]; 

- "For example, when having received an alert denoting the source IP address "12. 34. 56. 
78" through the control interface 106, the defense rule determination section 1001 
interprets it as subtracting one (1) from the confidence level for the IP address "12. 34. 
56. 78" and instructs the confidence management section 502/701 to decrement the 
corresponding confidence level by one" [page 13 pare 239 lines 1-7]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "determining an initial system certainty value for the computer 
system" and "increasing the system certainty value if the received data does not match a 
signature in the database" and "decreasing the system certainty value if the received data 
matches a signature in the database," in the invention as disclosed by Vaidya for the purposes of 
utilizing confidence levels in conjunction with various intrusion detection schemes (i.e. anomaly 
based, signature based, etc.) to filter incoming network traffic (i.e. incoming traffic from the 
Internet). 

Claims 2, 8, 14, & 20: 

Vaidya and Nakae et al. disclose a method/a computer recording medium including computer 
executable code for maintaining security of a computer system and a system for maintaining 
computer security, as in Claims 1,7, 13, & 19 above, their combination further disclosing, 
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"the data that does not match a signature in the database is forwarded to its destination" 
(i.e. "indicating which network objects are not permitted to access other network 
objects") [column 6 lines 34-35]. 
Claims 3, 9, 15, & 21: 

Vaidya and Nakae et al. disclose a method/a computer recording medium including computer 
executable code for maintaining security of a computer system and a system for maintaining 
computer security, as in Claims 1,7, 13, & 19 above, but Vaidya does not explicitly disclose, 
- "the increased or decreased certainty value becomes the initial system value," although 
Nakae et al. do suggest updating confidence levels, as recited below; 
however, Nakae et al. do disclose, 

"as shown in the following formula (4), a constant C (>1) is added to the confidence level 
c[n] to produce an updated confidence level c[n+l]" [page 10 para 176 lines 4-6]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the increased or decreased certainty value becomes the initial 
system value," in the invention as disclosed by Vaidya for the purposes of updating the 
confidence level of a requester to determine if the requester exceeds a threshold, thereby 
determining if a requester is permitted or denied access to the network. 
Claims 4, 10, 16, & 22: 

Vaidya and Nakae et al. disclose a method/a computer recording medium including computer 
executable code for maintaining security of a computer system and a system for maintaining 
computer security, as in Claims 1, 7, 13, & 19 above, their combination further disclosing, 
"the data comprises a packet of data" (i.e. "data packets") [column 5 line 38]. 
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Claims 5, 11, 17, & 23: 

Vaidya and Nakae et al. disclose a method/a computer recording medium including computer 
executable code for maintaining security of a computer system and a system for maintaining 
computer security, as in Claims 1, 7, 13, & 19 above, but Vaidya does not explicitly disclose, 

"the filtering further comprises forwarding the data if the signature certainty value is less 
than the system certainty value," although Nakae et al. do suggest the confidence level 
exceeding the threshold value, as recited below; 

- "the filtering further comprises discarding the data if the signature certainty value is 
greater than the system certainty value," although Nakae et al. do suggest blocking access 
when the confidence does not exceed the threshold, as recited below; 

however, Nakae et al. do disclose, 

- "After the confidence level c has exceeded the threshold value T, the IP packets of the 
access from the ordinary host 302 are guided to the server 401 on the internal network 4" 
[page 11 para 193 lines 16-19]; 

- "This causes input IP packets to be continuously guided to the decoy unit. Thereafter, 
when detecting an attack corresponding to "intrusion" or "destruction", the permanent 
access blocking is made active" [page 14 para 249 lines 7-11]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the filtering further comprises forwarding the data if the 
signature certainty value is less than the system certainty value" and "the filtering further 
comprises discarding the data if the signature certainty value is greater than the system certainty 
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value," in the invention as disclosed by Vaidya for the purposes of providing a determination as 
to whether a requester is permitted or denied access to the network according to a confidence 
level. 

4. Claims 6, 12, 18, 24 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Vaidya (US-62791 13-B1) in view of Nakaeetal. (US-20040172557-A1) and in further view of 
Moran (US-7032114-Bl). 
Claims 6, 12, 18, c& 24: 

Vaidya and Nakae et al. disclose a method/a computer recording medium including computer 
executable code for maintaining security of a computer system and a system for maintaining 
computer security, as in Claims 1,7, 13, & 19 above, but their combination do not explicitly 
disclose, 

- "the step of forwarding further comprises generating a message log to indicate that data 
matching a signature was forwarded," although Moran does suggest an event record, as 
recited below; 
however, Moran does disclose, 

"an intrusion detection system comprises a mechanism for checking timestamps, 
configured to identify backward and forward time steps in a log file, filter out expected 
time steps, correlate them with other events, and assign a suspicion value to a record 
associated with an event" [column 4 lines 28-33]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the step of forwarding further comprises generating a message 
log to indicate that data matching a signature was forwarded," in the invention as disclosed by 
Vaidya and Nakae et al. for the purposes of recording timed information for future further 
analysis. 

Response to Arguments 

5. Applicant's arguments filed 12/08/2008 have been fully considered but they are not 
persuasive. 

- The applicant's argument with respect to, "these portions disclose the confidence level 
associated with the source of received data, not a system certainty value," has been 
carefully considered but is non-persuasive; 

o The examiner notes that the confidence level's association with the source of 

received data can be interpreted as a "system certainty value" since it is the 

certainty with which the system considers that source; 
The applicant's argument with respect to, "The cited paragraph explains that "the 
confidence management section 502 updates confidence as described for the second 
embodiment." Nakae, 0239. This means that every time the source of received data 
matches an IP address, "the confidence management section 502 updates the stored 
confidence data such that the relevant confidence level is increased" and the data is sent 
to the decoy device. See Nakae, 0176. However, in the new portion relied upon by the 
Office Action, if the decoy device detects an attack, it sends an alert and "the confidence 
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level of the source IP address included in the alert is decreased." Nakae, 0239. The attack 
detection is determined regardless of IP address or data signatures. See Nakae, 0024," has 
been carefully considered but is non-persuasive; 

o The examiner notes that paragraph 0024 does not disclose any suggestion for the 
"attack detection is determined regardless of IP address or data signatures," and 
provides disclosure if not at the very least suggestion for "based on the header 
information of the input IP packet" and "attack category violations" and "detect 
the presence or absence of an attack" (i.e. Nakae et al. makes a correlation 
between increasing/decreasing the confidence level in association with attacks 
based on information); 

Conclusion 

6. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Examiner Oscar Louie whose telephone number is 571-270-1684. 
The examiner can normally be reached Monday through Thursday from 7:30 AM to 4:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami, can be reached at 571-272-4195. The fax phone number for 
Formal or Official faxes to Technology Center 2400 is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

OAL 

03/12/2009 



/Nasser G Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



